Subject Access Requests
The following is provided by way of general advice. For more detailed explanation and guidance please refer directly to the Information Commissioner's Office (ICO) website.
When a person requests a copy of all their personal data from either The Scouts UK headquarters or a Scout Group, District, County/Area/Region (Scotland), then they are in effect making a Subject Access Request (SAR) under the GDPR, which provides rules as to how an SAR must be complied with. As the GDPR applies to both the Scouts UK headquarters as well as local Scouting (as each Scout Group, District, County/Area/Region (Scotland) is created and operates as an independent charity in its own right) both must comply with SAR's.
The following is provided as guidance on how to respond and comply with a SAR and for more detailed explanation, please refer to the ICO website. The GDPR reverses the ability to charge a £10 Subject Access fee as a default unless the SAR is manifestly unfounded, excessive or repetitive. A request for a SAR can be made in writing or any other means the Data Subject chooses as their preferred communication channel, (verbally for example), within reason. The deadline for compliance is one month commencing from receipt of the SAR request. This deadline can be extended if the SAR is complex or numerous to three months but the explanation for why needs to be communicated within the first month.
(It's important to note that the GDPR rules do not apply to individuals collecting information solely for their own domestic and household affairs e.g. an address book or solely for research, journalistic, artistic or literary purposes and also that the subject will not be requesting information under the Freedom of Information Act (FOI) (which they may sometimes believe): the FOI applies to Public Authorities and does not apply to the Scouts UK headquarters or local Scouting).
When your Scout Group, District, County/Area/Region (Scotland) receives a SAR the GDPR subject access request process for Executive Committees should be followed. This is part of Step 4: Understanding data subjects in the GDPR toolkit.
Compliance with SAR
For more detailed information and advice please visit the ICO website.
The ICO also operate a helpline which you can use to ask about general information/questions (you do not have to identify yourself or the organisation you are calling from). Please also let us know if you have any queries. The following is a brief guide only.
Redactions/deletions of exempt or third party data should be deleted using a black pen or white corrector tape and the subject should be sent photocopies of the redacted documents (not the originals) so that any redaction data cannot be deciphered by close inspection or by removing the corrector tape.
Where to make a Subject Access Request to
All Subject Access Request’s (SAR) made directly to the Scouts UK headquarters for personal data held as the Data Controller should be sent to the Legal Services Department. Please note that the Scouts UK headquarters do not process SAR's made directly to Local Scout Groups, Districts, Counties/Areas/Regions (Scotland). Local Scout Groups, Districts, Counties/Areas/Regions (Scotland) are separate charities and therefore Data Controllers in their own right. When Local Scout Groups, Districts, Counties/Areas/Regions (Scotland) receive a SAR they should follow the guidance in the GDPR toolkit. If required Local Scout Groups, Districts, Counties/Areas/Regions (Scotland) can contact the Legal Services Department for further guidance.